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1.  Background 


Current  breakthroughs  in  mobile  computing  technology  will  allow  unprecedented 
computational  power  and  information  from  almost  anywhere  via  hand-held 
devices.  The  explosion  of  mobile  devices  presents  unique  security  concerns  that 
may  not  have  been  considered  because  productivity  software  has  migrated  from  a 
traditional  wired-network  architecture  utilizing  personal  computers  (PCs)  to  mobile 
phones  entirely  dependent  on  wireless  communications. 

Initial  work  using  the  Extremely  Lightweight  Intrusion  Detection  (ELIDe)  system 
focused  on  replicating  the  malicious-packet  detection  that  is  achieved  using  larger, 
more  computationally  heavy  systems  through  machine-learning  techniques.  If  a 
combination  of  N-gram  hashing,  stochastic  gradient  descent,  and  linear  classifiers 
is  used,  it  is  possible  to  closely  match  the  performance  of  traditional  packet 
classification  but  significantly  reduce  the  computational  load,  which  leads  to  lower 
power  requirements. 

Because  ELIDe  was  found  to  be  effective  in  performing  network  packet 
classification,  it  is  now  necessary  to  determine  how  this  capability  will  perform  on 
a  mobile  device  such  as  a  consumer-targeted  Android  phone.  Ritchey  et  al.^ 
established  how  to  build  the  dependencies  needed  to  run  ELIDe  on  a  mobile 
platform.  This  process  included  compiling  both  Basic  Linear  Algebra  Subprograms 
(BLAS)  and  libpcap  for  the  Android  platform.  The  work  described  in  this  document 
continues  the  effort  required  to  migrate  ELIDe  to  Android. 

2.  Configuration 

The  following  is  a  list  of  the  software  and  hardware  used  as  part  of  the  development 
effort  needed  to  migrate  ELIDe  to  the  Android  platform. 

2.1  Development  Work  Station 

The  work  station  has  the  following  configuration; 

•  Operating  System;  Red  Hat  Enterprise  Linux,  version  6.5 

•  Android  Development  Tools,  version  22.3.0-887826 

•  Android  NDK  Revision  9 

•  Dell  Precision  T7400 
o  8-GB  memory 
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o  Dual  Xeon  X5472  central  processing  unit 

■  Quad  Core 

■  3.00  GHz 

2.2  Development  Mobile  Device 

The  following  mobile  devices  were  used  to  develop  the  mobile  version  of  ELIDe; 

•  Android  4.3  Jelly  Bean  (Application  Programming  Interface  Level  18) 

•  Sprint-branded  Galaxy  S3 

o  Qualcomm  Snapdraggon  S4  Plus  MSM8960 
o  Dual-core  1.5-GHz  Krait  processor 
o  Adreno  225  graphics  processor 
o  2048  MB  of  RAM 
o  32-GB  internal  storage 
o  2 100-mAh  battery 

3.  Developing  the  Software 

Much  of  this  work  extends  from  research  efforts  accomplished  in  Compilation  of  a 
Network  Security/Machine  Learning  Toolchain  for  Android  ARM  Platforms.^ 
However,  it  utilizes  several  other  pieees  of  work  that  will  be  referenced  throughout 
the  document.  The  following  steps  were  taken  to  port  LLIDe  to  the  Android 
platform. 

•  Root  the  Android  device  to  use  the  libpcap  to  aecess  the  device’s 
hardware  interfaces 

•  Set  up  Android  x86  on  VirtualBox 

•  Build  a  new  Android  application 

•  Compile  ELIDe’s  C++  and  LORTRAN  code  for  Android 

•  Generate  the  ELIDe  native  code  at  back  end 

•  Develop  the  Android  applieation  at  front  end 

•  Deploy  the  applieation 
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Although  there  are  several  different  ways  to  port  the  ELIDe  functionality  over  to 
the  Android  platform,  a  C++  based  native  code  for  ELIDe  was  chosen.  The  Android 
ELIDe  native  code  was  developed  based  on  the  existing  ELIDe  Linux  version  with 
some  modifications,  which  improved  speed  and  performance  as  well  as  the  network 
data-capturing  capability.  In  addition,  the  same  native  code  can  be  used  to  operate 
the  software  on  both  the  Linux  and  Android  operating  systems.  An  advantage  to 
using  the  non-native  code  is  the  Android  device  does  not  have  to  be  rooted; 
however,  the  absence  of  the  native  code  would  mean  dramatically  decreased  speed 
performance,  and  this  makes  the  ELIDe  application  inoperable. 

3.1  Rooting  Android  Device 

“Rooting”  refers  to  the  process  of  gaining  access  to  the  administrative  commands 
and  functions  of  an  operating  system  (OS).  An  Android  device  comes  with  a 
number  of  protections  so  that  applications  developed  by  the  platform  are  not 
supposed  to  be  able  to  run  with  a  root  context.  However,  in  order  to  listen  to  the 
network  communications  transmitted  and  received  on  the  wireless  adapter,  root 
privileges  are  required.  Because  Android  does  not  provide  root  capabilities  by 
default,  it  became  necessary  to  take  steps  to  root  the  device  so  that  root  privileges 
for  specific  ELIDe  processes  can  be  used. 

The  procedure  needed  to  root  an  Android  phone  varies  by  device.  The  technical 
note  Rooting  Android  Device^  details  how  the  experimental  Android  device  is 
rooted.  When  virtualized  Android  x86  is  used,  the  root  context  is  allowed  by 
default. 

3.2  Android  OS  on  Virtual  Machine 

A  lot  of  the  initial  development  for  virtual  machines  was  achieved  without  running 
code  on  the  mobile  device.  The  Android  Software  Development  Kit  (SDK)  includes 
the  ability  to  emulate  several  different  Android  devices,  called  Android  Virtual 
Devices  (AVDs).  These  AVDs  are  tools  used  to  debug  the  Android  software 
without  using  the  actual  Android  devices.  The  major  drawback  to  using  AVDs  is 
that  they  perform  a  direct  translation  for  ARM  instructions  to  x86  instructions  in 
order  to  run  Android  applications  on  work  stations  equipped  with  an  Intel  or 
Advanced  Micro  Devices  processor.  Although  this  process  allows  for  a  more 
accurate  reproduction  of  the  application,  AVDs  run  much  slower  than  actual 
hardware  because  of  the  translation.  The  slowdown  may  intensify  significantly  if 
the  application  developed  is  intended  for  a  heavy  computational  load.  Due  to  the 
slow  performance  of  AVDs,  the  application  cannot  handle  relatively  high-speed 
network  traffic  during  testing.  In  order  to  test  the  application  on  the  development 
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work  station,  a  version  of  Android  for  x86  processors  was  utilized.  This  technique 
can  then  be  virtualized  on  the  development  work  station  and  integrated  into  the 
compilation  process  used  by  the  Android  SDK.  Although  this  representation  is  not 
as  accurate  as  the  application  running  on  a  device,  it  was  more  than  satisfactory  for 
study  purposes.  The  report  Android  Virtual  Machine  (VM)  Setup  on  Linux^  has  a 
more  detailed  explanation  of  this  method. 

3.3  Building  a  New  Android  Application 

The  ELIDe  application  is  built  based  on  the  Default  Android  Auto -Generated 
Android  project.  To  build  a  new  Android  application,  follow  these  steps: 

1.  Use  Eclipse  from  the  Android  SDK.  Erom  Eile->New-> Android 
Application  Project,  it  will  bring  up  the  New  Android  Project  setting  page. 

2.  Click  the  “Next”  button.  Supply  the  names  for  the  fields  of  Application 
Name  (i.e.,  ElideTest),  Project  Name,  and  Package  Name. 

3.  Use  the  default  settings  on  the  Configure  Project  setting  page,  click  the 
“Next”  button. 

4.  Use  the  default  settings,  click  “Next”  from  the  Configure  Eaunch  Icon 
setting  page. 

5.  Use  the  default  settings,  with  Create  Activity  checked  and  blank  activity 
selected,  click  “Next”  from  the  “Create  Activity”  page. 

6.  Type  in  the  Activity  Name  (i.e..  Elide  Activity),  Eayout  Name,  and 
Navigation  Type  from  the  “Blank  Activity”  page.  Click  “Finish”. 

Now  the  new  application  is  created.  To  add  support  for  native  code  compiled 
through  the  use  of  the  Android  NDK,  create  a  “jni”  directory  under  the  new  project 
directory.  If  it  is  assumed  that  the  project  is  called  “ElideTest”,  then  this  new  path 
is  called  “ElideTest/jni”. 

3.4  Compile  C++  and  FORTRAN  Dependencies  for  ELIDe  on 
Android 

A  major  challenge  for  using  C/C++  and  FORTRAN  together  when  developing  the 
Android  platform  is  establishing  a  relationship  between  the  data  types  that  the 
FORTRAN  library  uses  and  understanding  which  C/C++  data  type  to  use  as  an 
argument.  If  there  is  a  mismatch  in  the  data  type  using  the  FORTRAN  function,  the 
code  may  compile  without  any  errors;  however,  the  linker  will  produce  an  error.  To 
solve  this  problem,  the  proper  relationships  between  the  data  types  used  need  to  be 
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established.  This  can  be  achieved  by  using  the  keyword  “extern”  accompanied  by 
“C.”  (An  example  of  how  this  task  is  accomplished  is  shown  in  Appendix  A.)  Be 
warned  that  it  is  not  sufficient  to  simply  use  the  standard  C  convention  using  the 
keyword  “extern”  with  a  function  or  struct.  More  details  can  be  seen  in  an  online 
tutorial."^ 

The  additional  steps  needed  to  compile  the  FORTRAN  and  C++  dependencies  for 
ELIDe  are  found  in  Ritchey  et  al.^  By  following  the  procedure  called  out  in  the 
Ritchey  et  al.^  report,  both  the  libpcap  and  BLAS  dependencies  will  be  compiled  for 
use  by  ELIDe  for  Android. 

3.5  The  Elide  Native  Code  Back  End 

There  are  2  major  ways  Android  applications  can  communicate  with  natively 
compiled  applications:  call  Java  Native  Interface  (JNI)  directly  and  call  native 
executable.  These  methods  are  discussed  in  details  in  Monitor  Network  Traffic  with 
Packet  Capture  (pcap)  on  Android  Device.^  Both  methods  must  satisfy  the  root 
access  requirement  needed  to  listen  to  raw  network  traffic;  however,  to  perform  this 
task,  the  native  executable  was  necessary.  The  libpcap  and  BLAS  were  used  to 
accomplish  this  task,  as  stated  in  the  previous  section. 

To  utilize  libpcap  and  BLAS,  libpcap,  BLAS,  and  “elide”  must  be  on  the  same 
source  project  level.  In  order  for  the  executable  produced  by  “elide”  to  use  BLAS 
and  libpcap,  their  compiled  libraries  needed  to  be  linked.  This  process  was 
accomplished  by  modifying  the  Android  project  make  file  (Android.mk)  and 
including  the  libraries  “pcap”  and  “bias”  as  well  as  creating  a  separate  library  for 
the  ELIDe  functions  called  “elide  test”.  The  makefile  produces  a  binary  called 
“pcapElide”  using  the  other  3  dependencies  as  static  libraries.  An  example  of  the 
Android.mk  file  is  provided  in  Appendix  B. 

3.6  Compile  ELIDe  Native  Executable 

The  steps  to  properly  compile  and  build  the  ELIDe  native  code  are  as  follows: 

•  Build  the  BLAS  libraries 

•  Build  the  pcap  libraries 

•  Build  the  ELIDe  native  code  using  the  “ndk-build”  command  from  the 
“elide/jni”  project  directory 

•  Build  the  ELIDe  C++  header  files  in  the  ElideTest  directory  using  the 
“build-header-script”  script 
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•  Build  the  ELIDe  executable  by  using  the  “build-script”  from  the 
ElideTest/jni  directory 

3.7  The  Android  Application  Front  End 

Android  applications  (apps)  are  written  using  the  Java  programming  language. 
They  generally  use  one  or  more  of  the  following  components  as  per  the  Android 
Developers  website^: 

•  Services — A  service  application  is  a  component  that  can  perform  long- 
running  operations  in  the  background  and  does  not  provide  a  user  interface. 
EEIDe  for  Android  makes  use  of  2  services:  ElideTestService  and 
ElideFileStatusService. 

•  Activities — ^An  activity  is  a  user  interface  that  utilizes  the  entire  screen  of  a 
mobile  device.  An  application  can  utilize  multiple  activities  if  it  requires 
multiple  full-screen  user  interfaces.  ELIDe  for  Android  makes  use  of  3 
activities:  ElideActivity,  ViewLog Activity,  and  ElideSettingActivity. 

•  Content  Providers — Content  providers  allow  for  the  structure,  storage,  and 
security  of  data  within  an  application.  ELIDe  for  Android  uses  a  single 
content  provider  to  store  the  configuration  settings  for  the  application. 

•  Broadcast  Receivers — A  broadcast  receiver  is  a  component  that  receives 
notification  when  a  registered  event  has  occurred.  ELIDe  for  Android 
makes  use  of  2  broadcast  receivers:  battery  level  and  service  termination. 

In  addition  to  the  components  used  by  Android  applications,  ELIDe  for  Android 
utilizes  a  single  native-code  executable  called  pcapElide.  The  Android  front  end 
will  spawn  the  pcapElide  executable,  which  performs  the  data  capture  and  ELIDe 
analysis  natively. 

4.  Application  Operational  Breakdown 

An  Android  application  requires  a  main  activity  to  run  when  the  application  starts. 
ElideActivity  provides  the  main  user  interaction  to  the  ELIDe  application.  In 
addition,  this  activity  can  be  configured  to  be  notified  when  the  available  battery 
power  drops  by  a  percentage  and  record  this  information  along  with  the  current  run 
time  of  the  ElideTestService.  This  option  will  help  to  determine  how  much  power 
the  ELIDe  application  uses. 

In  order  to  turn  on  the  detection  capabilities  of  ELIDe,  the  ElideTestService 
initiates  the  ELIDe  native  executable  pcapElide  when  the  user  presses  the  “Start 
Service”  button  in  the  ElideActivity.  This  service  also  initiates  the  privilege 
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escalation  needed  to  run  the  executable  with  root  context.  As  the  pcapElide  native 
executable  runs,  it  1)  records  the  alerts  to  a  file  that  the  ElideFileStatusService  can 
read,  2)  sends  Android  notifications  to  the  device,  and  3)  provides  the  alert  statistics 
to  ElideActivity  for  display.  The  service  is  currently  configured  to  retrieve  this 
information  every  2  s. 

The  ViewLogActivity  allows  users  to  view  the  current  power-statistics  logs,  and  it 
can  be  modified  to  view  other  logs  such  as  the  alert  log.  The  ElideSettingActivity 
provides  a  user  interface  in  which  the  configuration  settings  of  the  application  can 
be  modified.  This  activity  is  derived  from  the  AndroidPreference  Fragment 
container  class  so  that  the  information  that  is  stored  can  be  shared  among  other 
classes  within  the  application.  Diagrams  of  the  EEIDe  Android  application  classes 
are  located  in  Appendix  D. 

When  the  user  presses  the  “Stop  Service”  button  located  in  the  ElideActivity,  this 
will  terminate  the  pcapElide  native  binary.  In  addition,  if  using  EEIDe  on  an  offline 
packet-capture  (pcap)  fide,  the  JNI  module  that  does  not  require  root  escalation  to 
handle  EEIDe  analysis  will  terminate  once  the  file  has  been  processed. 
ElideTestService  will  then  broadcast  an  intent  indicating  that  ElideTestService  has 
stopped.  Because  ElideActivity  is  registered  with  the  ElideTestService, 
ElideActivity  will  receive  the  intent,  disable  the  “Stop  Service”  button,  and  enable 
the  “Start  Service”  button. 

5.  Elide  for  Android  Application  Package 

An  Android  application  includes  a  number  of  different  components,  not  just  the 
Java  source  code,  and  it  also  includes  but  is  not  limited  to  the  following; 

•  Android  Manifest — an  XML  file  that  contains  the  metadata  about  the 
application  including  the  application  name,  required  permissions,  types  of 
components,  component  interactions,  etc. 

•  Resources — items  such  as  image  files,  text  information,  and  user-interface 
elements  are  defined  here. 

•  Source — the  Java  source  code  for  the  application. 

The  AndroidManifest.xml  resides  in  the  project’s  root  directory.  It  is  the  “must 
have”  file  that  is  generated  when  the  new  Android  application  project  is  created 
using  Eclipse.  In  addition,  it  is  an  xml  file  that  describes  the  essential  parts  of  the 
app.  This  file  contains  multiple  sections  such  as  the  permission  section,  which 
indicates  the  permissions  needed  that  must  be  granted  by  the  user,  and  the  version 
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section,  which  contains  information  indicating  the  specific  minimum  versions  of 
Android  required  to  run  the  application. 

Furthermore,  the  AndroidManifest.xml  file  also  describes  the  elements  of  the 
Android  application  including  the  component  name,  component  type,  and 
component-related  elements  as  well  as  the  interactions  among  the  components  via 
intents.  The  components  described  in  the  file  for  test  application  include  those  listed 
previously  in  Section  3.7.  An  example  of  an  AndroidManifest.xml  file  is  illustrated 
in  Appendix  C. 

5.1  Deploying  the  Application 

There  are  2  methods  of  deploying  the  Android  ELIDe  app.  For  Method  1,  use  the 
“adb  install”  command  on  the  command  console  to  install  the  app  onto  the  device. 
Next,  open  the  shell  console  and  type  “adb  devices”  to  make  sure  the  device  is 
connected.  Change  the  directory  to  the  project’s  bin  path,  and  an  .apk  file  (i.e., 
ElideTest.apk)  should  appear.  Type  the  “adb  install  ElideTest.apk”  command  on 
the  console,  and  the  app  should  be  installed  onto  the  device.  For  Method  2,  use 
Eclipse  for  the  deployment:  open  Eclipse,  select  the  ElideTest  project,  right  click 
the  ElideTest  project,  and  select  the  “Run  As->Android  Application”  option.  This 
process  will  install  the  app  to  the  device. 

6.  Application  Configuration 

The  ELIDe  application  for  Android  has  a  number  of  configuration  items  that  can 
be  changed  directly  from  the  ElideSettingActivity.  Several  configuration  options 
were  designed  to  support  the  research  project  to  measure  how  much  power  the 
Android  device  utilizes  with  ELIDe.  Initial  versions  of  the  program  required 
changing  hard-coded  configuration  options  and  redeploying  the  application  to  the 
mobile  device;  therefore,  these  values  became  user  changeable  from  the  settings 
activity.  The  configuration  options  include  the  following: 

•  Notification  Interval — changes  the  delay  in  which  the  ElideTestService 
pulls  information  from  the  file  generated  from  pcapElide.  The  default  is  2 

s. 

•  Network  Device  to  Capture — changes  the  network  device  to  be  used  for 
monitoring.  The  default  is  wlanO:  the  primary  Wi-Fi  network  adapter  on  the 
device.  In  addition,  none  or  one  offline  pcap  fide  on  the  device  can  be  set. 

•  Promiscuous  Mode — sets  the  device  used  for  monitoring  into  promiscuous 
mode.  Typically,  this  will  not  change  anything  because  the  appropriate 
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drivers  that  allow  the  network  deviee  to  enable  promiseuous  mode  are  not 
ineluded  in  a  stock  Android  installation. 

•  Data  Capture  Only — activation  of  ELIDe  classification,  but  it  only  utilizes 
libpcap  to  capture  network  traffic  and  move  it  into  a  buffer. 

•  Weight  File  to  Chose  From — FFIDe  can  be  trained  with  different  data  or  at 
different  N-gram  lengths  or  hash  lengths.  All  of  this  can  influence  how  the 
weight  file  is  produced.  This  configuration  allows  for  changing  to  different 
weight  files. 

•  pcap  File  to  Be  Analyzed — If  the  network  device  is  set  to  an  offline  pcap 
file,  the  name  of  the  file  can  be  specified  in  this  configuration  option. 

•  Save  Stat  Data — By  default,  FFIDe  for  Android  only  saves  the  network  and 
classification  statistics  to  an  alert  file  after  the  service  has  stopped. 
However,  this  information  can  be  saved  on  a  regular  interval  by  enabling 
this  option. 

•  Update  Interval — set  the  update  interval  for  the  statistics  file. 

•  Stat  File  Name  to  Be  Saved — name  of  the  file  to  save  the  statistics 
information. 

•  Record  Battery  Fevels  to  File — enables  FFIDe  for  Android  to  save  the 
current  service  run  time  to  file  every  time  the  battery  power  drops  a 
percentage. 

•  Battery  Filename  to  Be  Saved — name  of  the  file  on  which  to  save  battery 
information. 

•  Save  All  Data  to  pcap  File — saves  all  network  traffic  to  a  pcap  file. 

•  pcap  File  to  Be  Saved — the  name  of  the  pcap  file  on  which  to  save  all  traffic. 

•  Save  Alert  Data — saves  onto  a  pcap  file  on  which  all  network-traffic  alerts 
caused  by  FFIDe  analysis. 

•  Alert  pcap  File  to  Be  Saved — the  name  of  the  pcap  file  on  which  to  save  the 
alert  network  traffic. 

•  Save  None  Alert  Data — saves  to  a  pcap  file  on  which  all  network  traffic  that 
did  not  cause  an  alert. 

•  None  Alert  pcap  File  to  Be  Saved — name  of  the  file  on  which  to  store 
network  traffic  that  did  not  generate  an  alert. 
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All  of  these  options  are  available  from  the  application  during  run  time.  Changes 
occur  once  the  service  is  started  or  restarted.  They  will  not  be  applied  when  the 
service  is  in  capture  or  classification  mode. 

7.  Application  Usage 

When  starting  the  ELIDe  for  Android  application,  the  first  activity  to  greet  the  user 
is  the  ElideActivity.  Erom  this  screen,  the  user  can  start  and  stop  the  detection 
service  as  well  as  observe  the  relevant  statistics  from  the  service  itself,  including 
the  number  of  alerts  generated.  In  addition,  certain  network  statistics  (such  as 
packets  captured  and  dropped)  are  displayed  here.  To  start  or  stop  the  service,  the 
user  can  press  the  <start  service>  button  or  <stop  service>  button. 

Because  the  service  requires  root  context  to  view  packets  coming  into  a  network 
interface,  a  prompt  will  be  presented  to  the  user  allowing  the  program  to  assume 
root  privileges  once  the  <start  service>  button  is  pressed.  If  the  permission  is  not 
granted,  the  service  will  not  start. 

Once  the  ELIDe  service  is  started,  all  files  that  are  written  to  the  device  from  within 
the  application  are  overwritten  rather  than  appended  to  the  same  file.  Eor  instance, 
the  alert  file  or  statistics  file  will  be  cleaned  and  only  updated  with  the  information 
retrieved  during  the  currently  running  instance  of  the  service.  This  information  is 
preserved  after  service  is  stopped  and  only  reset  after  the  service  is  started  again. 
This  process  will  allow  data  to  be  retrieved  for  further  analysis  without  having  to 
reset  the  files  each  time  the  service  is  run. 

If  any  of  the  configuration  options  need  to  be  changed,  they  can  be  accessed  via  the 
normal  Android  settings  button.  Once  the  <settings>  button  is  pressed,  the  user  will 
be  able  to  access  the  ElideSettingActivity.  In  addition,  this  process  is  also  used  to 
view  the  logs  or  manually  refresh  the  statistics  displayed  on  the  main  activity  page. 

7.1  Notifications 

While  the  application  is  running  and  the  service  is  performing  network-packet 
classification,  the  device  will  receive  a  notification  if  an  alert  has  been  generated 
from  network  traffic.  As  the  alert  file  produced  by  the  native  binary  pcapElide  is 
polled,  new  alerts  will  generate  a  notification  that  will  be  listed  in  the  Android 
notification  list.  The  interval  to  poll  can  be  changed  in  the  configuration  settings. 
Notifications  can  also  be  disabled  in  the  configuration  settings.  If  the  application  is 
configured  to  disable  ELIDe  detection,  no  notifications  will  be  generated. 
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8.  Conclusions 


In  this  study,  ELIDe  was  found  to  be  effective  in  performing  network  packet 
classification  with  fewer  computational  requirements.  As  a  result,  this  technology 
has  a  proven  benefit  for  mobile  devices  due  to  its  normal  battery-usage 
consumption.^  This  document  provides  a  general  guide  for  any  software  engineer 
to  write  an  Android  application  using  ELIDe. 
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Appendix  A.  Example  Struct  Declaration  Using  Extern  “C" 


This  appendix  appears  in  its  original  form,  without  editorial  change. 


struct  declaration: 
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Appendix  B.  Example  Android. mk  File  for  ELIDe 


This  appendix  appears  in  its  original  form,  without  editorial  ehange. 
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LOCAL_PATH  :=  $(call  my-dir) 

include  $ ( CLEAR_VARS ) 

LOCAL_MODULE  :=  blas_LINUX 

ifeq  "$ (TARGET_ARCH_ABI) "  "armeabi-v7a" 

LOCAL_SRC_FILES  := 

$ (LOCAL_PATH) /blas/obj /local/armeabi- 
v7a/libblas  LINUX. a 

else  ifeq  " $ (TARGET_ARCH_ABI ) "  "x86" 

LOCAL_SRC_FILES  := 

$ (LOCAL  PATH) /blas/obj /local/x86/libblas  LINUX. a 
else 

LOCAL_SRC_FILES  := 

$ (LOCAL  PATH) /../.. /blas/obj /local/armeabi/libblas  LINUX. a 
endif 

include  $ ( PREBUILT_STATIC_LIBRARY) 

include  $ (CLEAR_VARS) 

LOCAL_MODULE  :=  pcap 

ifeq  "$ (TARGET_ARCH_ABI) "  "armeabi-v7a" 

LOCAL_SRC_FILES  := 

$ (LOCAL_PATH) /../../ pcap_test/ obj /local/ armeabi- 
v7a/libpcap . a 

else  ifeq  " $ (TARGET_ARCH_ABI ) "  "x86" 

LOCAL_SRC_FILES  := 

$ (LOCAL_PATH) /../../ pcap /obj /local/x86/libpcap . a 
else 

LOCAL_SRC_FILES  := 

$ (LOCAL_PATH) /../.. /pcap /obj /local/armeabi/libpcap . a 
endif 

include  $ ( PREBUILT_STATIC_LIBRARY) 

include  $ ( CLEAR_VARS ) 

LOCAL_MODULE  :=  elide_test 

LOCAL  SRC  FILES  :=  MurmurHashS . cpp  cmdline  parsing. cpp 
snort_oracle . cpp  elide. cpp 

LOCAL_STATIC_LIBRARIES  :=  blas_LINUX  pcap 
include  $ (BUILD_STATIC_LIBRARY) 

include  $ ( CLEAR_VARS ) 

LOCAL_MODULE  :=  pcapElide 
LOCAL_SRC_FILES  :=  pcapElide . cpp 
LOCAL_LDLIBS  :=  -llog  -landroid 
LOCAL_CFLAGS  +=  -std=c++ll 
LOCAL_STATIC_LIBRARIES  :=  elide_test 
include  $ (BUILD  EXECUTABLE) 
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This  scheme  basieally  creates  3  statie  libraries  (bias,  pcap,  and  elide  test)  and  one 
exeeutable  (peapElide).  This  exeeutable  ean  be  ealled  by  the  Android  ELIDe 
applieation. 
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Intentionally  Left  Blank. 
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Appendix  C.  AndroidManifest.xml  Example 


This  appendix  appears  in  its  original  form,  without  editorial  ehange. 
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<?xml  version=" 1 . 0 "  encoding="utf-8 " ?> 

<manif est 

xmlns : android="http : //schemas . android. com/apk/res/android" 
package="com . example . elidetest" 
android: vers ionCode=" 1 " 
android: versionName="l . 1"  > 

<uses-permission 

android: name="android. permission . WRITE  INTERNAL  STORAGE"  /> 
<uses-permission 

android: name="android. permission . READ  INTERNAL  STORAGE"  /> 
<uses-permission 

android: name="android. permission . WRITE  EXTERNAL  STORAGE"  /> 
<uses-permission 

android: name="android. permission . READ  EXTERNAL  STORAGE"  /> 
<uses-permission 

android: name="android. permission . RECEIVE  BOOT  COMPLETED"  /> 
<uses-permission 

android: name="android. permission . INTERACT  ACROSS  USERS"  /> 
<uses-permission 

android: name=" android. permission .VIBRATE"  /> 
<uses-permission  android: required="true" 

android : name=" android . permission . INTERNET"  /> 
<uses-permission  android: required="true" 

android : name=" android . permission . NETWORK"  /> 
<uses-permission  android: required="true" 

android: name="android. permission .ACCESS  NETWORK  STATE"  /> 
<uses-permission  android: required="true" 

android: name="android. permission .ACCESS  WIFI  STATE" 

/> 

<uses-permission  android: required="true" 

android: name="android. permission . CHANGE  NETWORK  STATE"  /> 
<uses-permission  android: required="true" 

android: name="android. permission . CHANGE  WIFI  STATE"  /> 
<uses-sdk 

android: minSdkVersion=" 16" 
android: targetSdkVersion="I9"  /> 

<application 

android: allowBackup="true" 
android: icon=" @drawable/ic  launcher" 
android: label=" @ string/app  name" 
android: theme="@style/AppTheme"  > 

<activity 

android: name="com. example . elidetest . ElideActivity" 
android: label="@string/app  name"  > 
<intent-filter> 
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<action 

android: name=" android. intent. act ion. MAIN"  /> 

<category 

android: name="android. intent . category. LAUNCHER"  /> 
</intent-filter> 

</activity> 

<activity 

android: name=" . ViewLogActivity"  /> 

<activity 

android: name=" . ElideSettingActivity"  /> 

<service 

android: name="ElideFileStatusService"></ service> 

<service  android : name="ElideTestService"></service> 
<receiver 

android: name="BootCompleteReceiver "></receiver> 
<intent-filter> 
taction 

android:  name="android. intent . action . BOOT  COMPLETED"  /> 
taction 

android: name="android. intent . action . ACTION  EXTERNAL  APPLICA 
TIONS_AVAILABLE"  /> 

tcategory 

android: name="android. intent . category. DEFAULT"  /> 
t/intent-filter> 
treceiver 

android: name=" ServiceReceiver">t/receiver> 
tintent-filter> 
taction 

android: name="com. example . elidetest . ElideActivity . SERVICE  C 
OMPLETED"  /> 

t/intent-filter> 

tintent-filter> 

taction 

android: name="com. example . elidetest . ElideActivity. STATUS  UP 
DATE"  /> 

t/ intent -filter> 
t/application> 


t/manifest> 


Intentionally  Left  Blank. 
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Appendix  D.  ELIDe  Android  Application  Class  Diagrams 


This  appendix  appears  in  its  original  form,  without  editorial  ehange. 
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«Java  CIb5s» 

0ElicleActivity 


O  mTVl;  TaxtView 
o  fnTV2:  TexiVtew 
O  rnTV8aiefyLeve4:  TexiView 
O^mOataF  JPathFieName:  amp 

o^mNolficaUoniO:  rt 


o^mOataPaih  St/wxa 
0^mW«iqh>Pite>:  smnq 
o^mpCapPie:  Stiwig 
o^mExgcPcapQde:  Sinnq 


^PCAP. 


EXE:  Sifinq 


A  mS4artBo(ton:  Button 


<^^mse*viC€Stan«l:  teoiMn 

A  mStofAMton:  Bunon 
A  mExUButton:  Button 
o  MBytes:  kMig 
•*^EideActiviiyO 
Q  oncreaie(Bun(Se):void 
Q  onPat^eO^voKl 
O  onOestroyO:vo«] 

showCiarenlStaie(}:void 

■  re95terMyRece«t/erO:vo«l 

O  onResmieO:vo^ 

p  re^terBaitefyRecefverO-Void 

■  fecordBajtefyLeveH5oai.«it):vaKl 

•  onCrea(eOptionsMenii(Menu):bootoan 

%  ooOptiQnstte«nGclocle<t(MeouHeffi):bootean 
^  onActAr«yRe3iA(nl.ni.lntent}:voKJ 

•  Oi£xAA(]p(View):vod 
^  staftSefvice{View}:voad 

•  siopSetvKe(Vtew):vaKi 
9  onNewin(eni{lr«er«);void 
^  readStatusFie{|:void 

p  retnevePiesFrofnAssetsO  voKl 
p  cof>yF4eFrcfn.Assets(Stnng.stnng.Sosig):vaKl 
^t»dNe<wofkDevicesO:ArrayLi3t<S<nncp 

p  scanNetwoffcOevKesO^void 

•  9eiW(lfSqna(5trengtfHConiexi);mi 

p  sEUeRunnngO-t’^’o*^^ 

•  v«ewStocageSpaceO:void 
p  To(a}MefnQfyO:tong 

p  FrooMcmotyO  tong 
p  BusyMemoryO:>ong 


«Java  cias$» 

0  ElideSettingActivity 

ccvn  Avjvnpc  mucisA 


i  mServiceName:  Stmg 
Vwth  Reoesi  code:  rt 

mBroadcastReceiver'  BroadcastReceA/er 


^  ESdeSettIngAc  tAriiyO 
.  onCreaie<Bmfc};void 
p  ortf>ref»reO|iiionsMenu(Menu):booiean 


«Java  ctass» 

0  ViewLogActi  vity 


a  mLvHeacing:  UstView 
A  mLvDaia;  ustview 
A  mMapHeacing:  HashMap<Stmg.S<nn9> 

A  mUstDaia:  ArTayiJBt<HashMap<5trwig.stTaig» 
A  mustTile;  AnayLfit<MashMapcstiin9.stmg» 
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^v^fwLogActwayO 
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P  showOaia(Stmg):void 
A  readDaia(Buf{eretf^eactef.boatean}:bootear 
A  showtieadngO-void 
A  tPOata0:voal 
p  9e4FteLisi{SlT«ig) 

P  onCfcckOpenFie(View};vo«d 


«java  ciass» 

@  Elide  FileStatusService 

ctjn  0C9n|KaKk>est 


A  sdf:  SanijieOateFormat 
o^pos:  SlTwiq 
O^neg:  Siiwiq 
o^rxToia^  SiTwiq 
u^fxProps:  stmg 


PEWePie  Status  SaivceO 
p  se«Riavwi9(bootean):vaid 
p  startThreadQivoid 
p  stop'nveadO:voK} 

P  oncreateQ  void 
p  onBa)d(lnteni):iB«ider 
p  onOesiroyO  void 
p  onUnbnd(inlefit}:bootean 
p  t\jnO:void 

p  onStancommand(tnieni.«M.it(};ni 
p  checkadeTestFieStalusO:void 
P  showNoUficationO:void 


c<java  Ciass» 

0ElideTestService 


^Eff  None:  int 
^ Eff_Setvice_No<_Rurwng:  wt 
En_EtdeCof>ti9_MaHofm:  rH 
yEft  Config  Name_Empty:  W 
o^EhteTesiSeivKeStatus:  String 

o^mEfcteProcess'  Process 
A  mReader:  Bufferet^aader 

^EWeTestsetviceO 

P  an6vid(iniefM):lBvvler 
P  se<Rmw)9(booiean):votcl 
p  niEMeO  M 
p  startEMeO 
p  stafiThreadO  void 
p  stopThreadO^booiean 
P  isSarvKeRurw90:bootean 
p  onCreateO  void 
P  anDestroyO:void 
p  onurtMid(1ntenl}:bootew 
p  natO-voKl 

p  onStaftComrnand(lnient.ffit.ffii):«a 
p  createProcess(Stmg);boolean 
p  geiRootO-void 
P  ie«mCa(ituraPacl(e<sO:bootean 
Q^cfeateOtjnmyPte{Slfwig):bootean 

p  nnCaplurePacketsO  bootean 
P  isRootAccessO-doclBan 
a^natnwade(Stnng.Stnng.Slmg.Stnng):K 

M^naSiattEkteTestfi 

a^naStopSie<vceO:void 

Bf*naisSe*victf^tfinatgQ:an 

<i?9«cpuTypeQ 


«Java  Ciass» 

0  BootCompleteReceiver 

orn  Cktfnpe  dKMea 


fpBooiCofnpleteRecefverO 
P  onReceftfe(Contexi.inteni):void 


«Java  ctass» 

0  MyPreferertceFragment 

ccvnnsmfMOidaai 


df  MyPreferencaFragrnemO 

p  onCrealei(BuncBe):voKl 
P  onResunieO^void 

p  onshare(lPre<ereoceChan9e<t(Shariec^e4erences.Stnng}:voio 
p  ipdalePreferefKe(PTefer€«Ke.boo(ean}:voMl 
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<i?isWihEnai]ied(Coniext):bootean 

tt^9e<Witnnfo(Coniext):Wifiinfo 
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<^isNe<yfOffcCoonected(Context):bootean 

p  onActiv^yResiii(m.«ii.inieni}:voKl 

A  ipdaieWrfrfHeferenceSiate{ListPTe(erence.Wi4iMana9er.booiaan):v 
A  ipdaieWifiStalusO  void 
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List  of  Symbols,  Abbreviations,  and  Acronyms 


AVD 

Android  Virtual  Device 

BLAS 

Basic  Linear  Algebra  Subprograms 

ELIDe 

Extremely  Lightweight  Intrusion  Detection 

JNI 

Java  Network  Interface 

OS 

operating  system 

PC 

personal  computer 

pcap 

packet  capture 

SDK 

Software  Development  Kit 
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